Thursday, March 28, 2013

Rep. Wolf's Flawed Approach to Supply Chain Security

According to this article in today's Politico, Rep. Wolf has inserted language in a budget stopgap bill that is "meant to ensure Chinese companies certify their independence from official Beijing before they can sell their goods to the Commerce Department, among others, during the life of the continuing resolution." Furthermore, it excludes "American companies who do assembling in China".

This provision is stunning in terms of its utter uselessness as a cyber security measure. The problem that Rep. Wolf should be worried about is how easy U.S. companies who have offices in China can be compromised by the Chinese government in ways that go far beyond what is normally reported on by the press.

Yet another problem is how quickly U.S. companies open R&D labs in China which result in technology transfer and a rapid escalation of China's own technological innovation. As an example, I just tried to contact two Microsoft Asia researchers (both Chinese) whose work focused on a specific type of data analytics that my company is interested in. Both researchers had recently left Microsoft and are now continuing their research at Huawei. This revolving door happens all the time and represents just one small part of the vast threat landscape for U.S. companies and by extension the U.S. government that extends far beyond a spear phishing attack and the APT kill chain.

Not only is Rep. Wolf's language utterly useless from a security perspective, it's detrimental to U.S.-China relations which, like it or not, we depend on. We have the ability to handle this problem in a much smarter, more effective way if legislators would invite a broader base of experts in to testify and give guidance on this issue rather than the same anti-China cheerleaders time and again.

4 comments:

But I'm glad the Frank Wolf is doing something completely useless that will make no difference. It wastes his time, and keeps him from doing something that might in fact be harmful. Also, removing ignorance may not always be a good thing. Some people you don't want to give information to because they will use that information against you. If Rep. Wolf did have a deep understanding of cybersecurity, he might be proposing to do things that might seriously mess things up.

Legislation and government is this giant chess game, and one of the more important parts of my education was watching professional lobbyists in action. Time is precious so you want to get people who you want to block to do as many useless things as possible, while at the same time avoiding getting yourself trapped into fights that waste your time.

People are different, and there are some thing that people are just never going to agree on. Rep. Wolf is a smart talented legislator, but he and I are just not going to agree on China policy so instead of trying to convince him, the goal would be to work with people who I do agree with (Max Baucus, Charles Boustany, and Rick Larsen to name some names) to make sure that he never gets anything real done.

Part of effective lobbying is to not think in abstract terms. You shouldn't be dealing with "legislators" in the abstract, you are dealing with particular legislators representing particular districts with particularly interests. For example, Frank Wolf represents the 10th Virginia Congressional district and part of having requiring more reports and making it difficult for Chinese manufacturers to get contracts is that this benefits IT contractors in northern Virginia. Conversely Boustany's 3rd Louisiana District is really trying to export rice to China, and if China moves into high technology and no one is interested in growing rice, then his district wins.

One thing that is useful in security and intelligence work is to "get inside the head" of other people, and also to have a lot of respect for your adversaries. For example, Wolf tends to be anti-China because he is very interested in religious freedom and so he would likely be more interested in the fate of house churches. Dana Rohrabacher tends to be extremely interested in China's activities in the South China Sea because his district has a very large Filipino and Vietnamese population. When Ileana Ros-Lehtinen sees China, she sees Cuba.

Political analysis in China also can be surprisingly similar.

The other thing is that once you get into the nitty-gritty of politics (whether in China or the United States) it can be incredibly addictive. It's like chess only with a thousand pieces, a dozen sides, and tens of thousands of squares.